urelas | c0016f5e9c5d45467648bf7f23e3d02da2d45e2f4e615f06e3b5c11202e6117c

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-11-2024 04:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8992bcdc39859d796f6681c2bbeb87a0_JaffaCakes118.exe
Size

542KB
MD5

8992bcdc39859d796f6681c2bbeb87a0
SHA1

bf7340ac1b9b3813809b7ec8c7a45259a8465b6b
SHA256

c0016f5e9c5d45467648bf7f23e3d02da2d45e2f4e615f06e3b5c11202e6117c
SHA512

291fc7ad24889bd694700348a289c99b9fbfc030d8e9d7bc8ad1f6866b170c5486a4b5c123a4f79bbdc43a7b88c9f952aa64ab8629913045ba372007e8f3656d
SSDEEP

12288:T52PxDgZo3ijnieactYDG7MzZSHJcvEj8dmoSxuo:92SLi70T7Mifjz

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2576	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

kyzep.exekiitg.exe

pid	Process
1984	kyzep.exe
2568	kiitg.exe

Loads dropped DLL 2 IoCs

Processes:

8992bcdc39859d796f6681c2bbeb87a0_JaffaCakes118.exekyzep.exe

pid	Process
2204	8992bcdc39859d796f6681c2bbeb87a0_JaffaCakes118.exe
1984	kyzep.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2204-0-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/files/0x00080000000164de-4.dat	upx
behavioral1/memory/1984-15-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/memory/2204-17-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/memory/1984-20-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/memory/1984-26-0x0000000000400000-0x0000000000487000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

8992bcdc39859d796f6681c2bbeb87a0_JaffaCakes118.exekyzep.execmd.exekiitg.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8992bcdc39859d796f6681c2bbeb87a0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kyzep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kiitg.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

kiitg.exe

pid	Process
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe
2568	kiitg.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

8992bcdc39859d796f6681c2bbeb87a0_JaffaCakes118.exekyzep.exe

description	pid	Process	procid_target
PID 2204 wrote to memory of 1984	2204	8992bcdc39859d796f6681c2bbeb87a0_JaffaCakes118.exe	28
PID 2204 wrote to memory of 1984	2204	8992bcdc39859d796f6681c2bbeb87a0_JaffaCakes118.exe	28
PID 2204 wrote to memory of 1984	2204	8992bcdc39859d796f6681c2bbeb87a0_JaffaCakes118.exe	28
PID 2204 wrote to memory of 1984	2204	8992bcdc39859d796f6681c2bbeb87a0_JaffaCakes118.exe	28
PID 2204 wrote to memory of 2576	2204	8992bcdc39859d796f6681c2bbeb87a0_JaffaCakes118.exe	29
PID 2204 wrote to memory of 2576	2204	8992bcdc39859d796f6681c2bbeb87a0_JaffaCakes118.exe	29
PID 2204 wrote to memory of 2576	2204	8992bcdc39859d796f6681c2bbeb87a0_JaffaCakes118.exe	29
PID 2204 wrote to memory of 2576	2204	8992bcdc39859d796f6681c2bbeb87a0_JaffaCakes118.exe	29
PID 1984 wrote to memory of 2568	1984	kyzep.exe	33
PID 1984 wrote to memory of 2568	1984	kyzep.exe	33
PID 1984 wrote to memory of 2568	1984	kyzep.exe	33
PID 1984 wrote to memory of 2568	1984	kyzep.exe	33

C:\Users\Admin\AppData\Local\Temp\8992bcdc39859d796f6681c2bbeb87a0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8992bcdc39859d796f6681c2bbeb87a0_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\kyzep.exe
  "C:\Users\Admin\AppData\Local\Temp\kyzep.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Users\Admin\AppData\Local\Temp\kiitg.exe
    "C:\Users\Admin\AppData\Local\Temp\kiitg.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
adc76dac032a1cc621c5840d97f7de5f

SHA1
c49e6ed05ae6d438460b280589b378cbebf21d4f

SHA256
942bd8cae960ed81ca96dec93b191a8f64b26c5d8dbd63c349296576c3a5a2db

SHA512
ece45c4080cea143b11fe438e7e1504dfa3c8b54d9a349a022fd1bddf132328185312823a91d9ff75d37e86adb5f63f1c506b5aa14a962bc42bf8a25047ffc81

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
27c06a77d08c8fce0db26f7b8f1f97ec

SHA1
a03e43237638b3eb0fec0b35a0d3d2c2fc1cc53c

SHA256
7ee11ae154f6cd11846400ac9b54d3882ca2903de7c5c8163d4d7ad99ef06fed

SHA512
75f22a07c5a5cc7ba6acf5449d3f09cdd480cec516b104f7340fd0073f784272cfa02985fc94399d905a4f60c95f415ab229173f95986b305d5ea25aaee47ab9

Download Submit
\Users\Admin\AppData\Local\Temp\kiitg.exe

Filesize
230KB

MD5
309a18c9a37e90244ba6a1e9cedb8ee3

SHA1
b15bb649a4f147d0c2ffbaafb574ffdbc51b4e1e

SHA256
080fcb61c1e9975bc5035aa5e383f387a7143fd8223d34eb28a75ebb3a599933

SHA512
eaf0a866bdfe8ea767713d4be730e89fa778364148667aa174ec716f8e5b473abf84c08d766f130ff2f6d38a482537374ca436aeba2ec86af11f6e12ec48a9e3

Download Submit
\Users\Admin\AppData\Local\Temp\kyzep.exe

Filesize
542KB

MD5
fbf5debc4a10ba2943a2b6c9996c09c3

SHA1
3db4c19615208a79f2b5c2ad104e2c4ff4af0f96

SHA256
55d4bae6f4c34bebd587cb00b84f45f085aa71fe46210bdd70d979b72427a46f

SHA512
e6ea702c4c7da9b9ee2efa6cb5123d9c8eb325650835bd2f2d41d2f99ca1229222fa1dde8750f6b5cf856dbf83a6723e2fdd132f1c3afbc7802a9ce06e4ba056

Download Submit
memory/1984-20-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1984-15-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1984-26-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2204-17-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2204-0-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2568-28-0x0000000001180000-0x0000000001233000-memory.dmp

Filesize
716KB

Download
memory/2568-30-0x0000000001180000-0x0000000001233000-memory.dmp

Filesize
716KB

Download
memory/2568-31-0x0000000001180000-0x0000000001233000-memory.dmp

Filesize
716KB

Download
memory/2568-32-0x0000000001180000-0x0000000001233000-memory.dmp

Filesize
716KB

Download
memory/2568-33-0x0000000001180000-0x0000000001233000-memory.dmp

Filesize
716KB

Download
memory/2568-34-0x0000000001180000-0x0000000001233000-memory.dmp

Filesize
716KB

Download